10-30-2017 03:38 PM - edited 02-21-2020 06:36 AM
According to TAC Cisco will not support user identification behind a proxy IP address even it it send X-Forwarded-For headers. This is a real let down as other vendors do support this. Almost all organizations have some form of URL filtering and many require the use of an internal proxy server.
They said "Put the proxy in front of the firewall". This is a ridiculous answer the problem. The issue being SFM can not map the LDAP users to the "origin client IP". This is a big problem since you can not create user based rules or events etc, trace down issues easily at all. Seems like an easy fix that could be solved with some sort of regex script.
This case has been open over a month and this is what they came up with. Not to mention many Firepower cases take forever to resolve using TAC
10-31-2017 12:32 PM
10-31-2017 02:30 PM
10-31-2017 02:39 PM
11-01-2017 08:56 AM
11-13-2017 12:43 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide